Biz & IT —

Android attack improves timing, allows data theft

Mobile apps could gather sensitive information on other running applications.

A malicious application could enable the theft of login credentials, sensitive images, and other data from Android smartphones by making use of a newly discovered information-leakage weakness in the operating system, according to a team of researchers from the University of Michigan and the University of California at Riverside.

The attack, known as a user interface (UI) inference attack, makes use of the design of programming frameworks that share memory, allowing one application to gather information about the state of other applications. The information can be gathered without any special Android permissions or by grabbing screen pixels, according to a paper presented at the USENIX Security Conference on Friday.

The technique gives attackers the ability to infer the state of a targeted application, enabling more convincing attacks. If malware knows that the targeted user has just clicked on a "login" button, then it can throw up a dialog box asking for a username and password. If the malware can infer that a user is about to take a picture of a check or sensitive document, it can quickly take a second picture.

"Although UI state knowledge does not directly reveal user input, due to a lack of direct access to the exact pixels or screenshots, we find that it can effectively serve as a building block and enable more serious attacks such as stealing sensitive user input," the researchers stated in the paper.

An attack application must be running in the background, where it can determine the foreground activity of a targeted app with 80 to 90 percent accuracy in most applications, the researchers said. The technique detects transitions in the UI state of the targeted app and then uses a signature to identify the new state. The signature is created from four different events--input from the user, content provided by another application, CPU utilization of any drawing event, and size of any packets sent--that together can represent, quite accurately it appears, the state of the targeted program.

"The assumption has always been that these apps can't interfere with each other easily," Zhiyun Qian, an associate professor of computer security at UC Riverside and co-author of the paper, said in a statement. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."

Any attack that is more convincing if actions are tied to specific user-interface events will benefit from the UI inference technique, the researchers said. The leakage of information about purportedly isolated applications is an example of what is known as a side-channel attack.

In videos demonstrating the UI inference attack, the research group showed the malicious software stealing a username and password from the H&R Block application, copying an image of a check taken by the Chase Bank application, and stealing credit-card information from the NewEgg store.

"By design, Android allows apps to be preempted or hijacked," Qian said in a statement. "But the thing is you have to do it at the right time so the user doesn't notice. We do that and that's what makes our attack unique."

Because the attack does not focus on any specific vulnerability in the operating system, hardening the software to attack will be difficult, according to the paper.

While the researchers focused on the Android operating system, the operating-system architecture that they exploit is present on most other major OSes, including MacOS X, iOS and Windows, the paper stated.

"We believe our attack on Android is likely to be generalizable to other platforms," the paper stated.

Robert Lemos
Robert Lemos is an award-winning freelance journalist, on assignment as IT security correspondent for Ars Technica. A former research engineer, he covers malware, hacking, cybercrime and enterprise security technology for a number of publications, including Ars Technica, eWEEK, TechTarget and MIT Technology Review. Twitter@roblemos